Skip to content

SEKOIA.IO Endpoint Agent

SEKOIA.IO provides its own agent allowing to collect interresting events with a minimal configuration overhead. This agent sends events directly to SEKOIA.IO.

Note

The SEKOIA.IO agent is currently in beta for Windows and Linux only.

Supported OS versions

The Endpoint Detection Agent supports the following operating systems:

  • Windows 8
  • Windows 10
  • Windows 11
  • Windows server 2016
  • Windows server 2019
  • Windows server 2022

Linux distributions based on a kernel version of 3.10 or newer should be supported by the agent.

Here's a non-exhaustive list of supported distributions:

  • Ubuntu 14.04 and newer
  • Debian 8 and newer
  • CentOS 7 and newer

Installation

Intake creation and download of the executable

The first step to use the agent is to create a new intake associated to the SEKOIA.IO Agent. A link to download the latest version of the agent is available in the description of the intake.

SEKOIA.IO for Endpoints intake

Installation

The Endpoint Detection Agent is easy to install on Windows or Linux systems once you created a dedicated intake key on SEKOIA.IO XDR.

The following commands must be executed as an administrator:

agent.exe -install -intake-key <INTAKE_KEY>

To make sure the agent has been successfully installed as a service you can run the following command:

Get-Service SEKOIAEndpointAgent

If auditd is running on the machine you must disable it before installing the linux agent:

sudo systemctl stop auditd
sudo systemctl disable auditd

Now that auditd is disabled you can install the agent:

chmod +x ./agent
sudo ./agent -install -intake_key <INTAKE_KEY>

To make sure the agent has been successfully installed as a service you can run the following command:

sudo systemctl status SEKOIAEndpointAgent.service

Once installed, the agent collects event logs, normalizes them and sends them to SEKOIA.IO. The contacted domain intake.sekoia.io uses the ip 145.239.192.38. The protocol used to send events is HTTPS (443).

Event Categories

The following table lists the data source offered by this integration.

Data Source Description
Access tokens security identifiers are extracted from several events
Anti-virus Windows Defender events are analyzed, and need to be specifically set up
Authentication logs audit logon events are examined in detail
DLL monitoring information about dlls are extracted from several events
File monitoring information about files are extracted from several events
Host network interface Windows Filtering Platform collects information on processes having network activities
Loaded DLLs Sysmon events provide information on DLL loading
PowerShell logs Windows PowerShell logs are analyzed, and need to be specifically set up
Process command-line parameters Windows Security Auditing logs provide information about process creation
Process monitoring Windows Security Auditing logs are process tracking events
Process use of network Windows Filtering Platform collects information on processes having network activities
Windows event logs events related to Windows Event logs shutdown or restart are analyzed
Windows Registry registry auditing events are examined in detail
WMI Objects Windows WMI Activity events are analyzed, and events related to WMI process too

Event Samples

Find below few samples of events and how they are normalized by SEKOIA.IO.

{
    "@timestamp": "2022-06-02T12:23:19.097868Z",
    "agent": {
        "id": "c7a2ee33b4ac7c46c28c597d69f4d9ad327ead3601af4375d68bc250eb62e857",
        "version": "0.1.0"
    },
    "action": {
        "id": 22,
        "properties": {
            "Image": "C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe",
            "Keywords": "0x8000000000000000",
            "ProcessGuid": "{033fb112-653e-6298-8301-000000001000}",
            "ProviderGuid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}",
            "RuleName": "-",
            "Severity": "INFO",
            "SourceName": "Microsoft-Windows-Sysmon",
            "User": "TEST-PC\\test",
            "UtcTime": "2022-06-02 12:23:18.607"
        }
    },
    "dns": {
        "answers": [
            {
                "name": "scontent.xx.fbcdn.net",
                "type": "CNAME"
            },
            {
                "data": "157.240.21.20",
                "type": "A"
            },
            {
                "data": "185.89.219.11",
                "type": "A"
            },
            {
                "data": "129.134.30.11",
                "type": "A"
            },
            {
                "data": "185.89.218.11",
                "type": "A"
            },
            {
                "data": "129.134.31.11",
                "type": "A"
            },
            {
                "data": "2a03:2880:f1fd:b:face:b00c:0:99",
                "type": "AAAA"
            },
            {
                "data": "2a03:2880:f0fc:b:face:b00c:0:99",
                "type": "AAAA"
            },
            {
                "data": "2a03:2880:f1fc:b:face:b00c:0:99",
                "type": "AAAA"
            },
            {
                "data": "2a03:2880:f0fd:b:face:b00c:0:99",
                "type": "AAAA"
            }
        ],
        "question": {
            "name": "connect.facebook.net",
            "size_in_char": 20
        },
        "response_code": "0"
    },
    "event": {
        "code": "22",
        "provider": "Microsoft-Windows-Sysmon"
    },
    "host": {
        "hostname": "test-PC"
    },
    "process": {
        "executable": "C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe",
        "name": "chrome.exe",
        "pid": 6440
    },
    "user": {
        "name": "test",
        "domain": "TEST-PC"
    },
    "related": {
        "hosts": [
            "test-PC"
        ],
        "user": [
            "test"
        ]
    }
}
{
    "@timestamp": "2022-06-02T12:18:37.6722336Z",
    "agent": {
        "id": "c7a2ee33b4ac7c46c28c597d69f4d9ad327ead3601af4375d68bc250eb62e857",
        "version": "0.1.0"
    },
    "event": {
        "action": "stats",
        "category": "host",
        "kind": "metric",
        "type": "info"
    },
    "host": {
        "hostname": "test-PC",
        "uptime": 17899
    },
    "sekoiaio": {
        "agent": {
            "cpu_usage": 0.26030037,
            "memory_usage": 0.14199863
        },
        "intake": {
            "dialect": "sekoiaio-endpoint",
            "dialect_uuid": "250e4095-fa08-4101-bb02-e72f870fcbd1"
        },
        "host": {
            "cpu_usage": 12.285156,
            "memory_total": 16961064960,
            "memory_available": 8049606656,
            "memory_usage": 52
        }
    },
    "related": {
        "hosts": [
            "test-PC"
        ]
    }
}
{
    "@timestamp": "2022-07-13T17:35:34.7697263Z",
    "agent": {
        "id": "d54749e87baf4b60ec7a9e51e16f1ee39f4aeaaf3070da908e0627cd02cf62f7",
        "version": "0.1.0"
    },
    "action": {
        "id": 3,
        "outcome": "success",
        "properties": {
            "Keywords": "0x8000000000000020",
            "ProviderGuid": "{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}",
            "Severity": "INFO",
            "SourceName": "Microsoft-Windows-Kernel-Process",
            "StackBase": "0xFFFFDF00357DA000",
            "StackLimit": "0xFFFFDF00357D4000",
            "StartAddr": "0xFFFFF8020AE71320",
            "SubProcessTag": "190",
            "TebBase": "0x0",
            "UserStackBase": "0x0",
            "UserStackLimit": "0x0",
            "Win32StartAddr": "0xFFFFF8020AE71320"
        }
    },
    "event": {
        "action": "remote-thread-created",
        "category": [
            "process"
        ],
        "code": "8",
        "provider": "SEKOIA-IO-Endpoint",
        "type": [
            "creation"
        ],
        "outcome": "success"
    },
    "host": {
        "hostname": "DESKTOP-Q2PN4RP"
    },
    "process": {
        "command_line": "C:\\Windows\\system32\\svchost.exe -k LocalSystemNetworkRestricted -p -s SysMain",
        "executable": "C:\\Windows\\system32\\svchost.exe",
        "name": "svchost.exe",
        "parent": {
            "pid": 656
        },
        "pid": 1356,
        "thread": {
            "id": 1480
        },
        "args": [
            "C:\\Windows\\system32\\svchost.exe",
            "-k",
            "LocalSystemNetworkRestricted",
            "-p",
            "-s",
            "SysMain"
        ]
    },
    "related": {
        "hosts": [
            "DESKTOP-Q2PN4RP"
        ]
    },
    "sekoiaio": {
        "process": {
            "guid": "1d63ca73-6449-5fa9-8ca0-5ed461943a01"
        },
        "source_process": {
            "command_line": "C:\\Windows\\system32\\svchost.exe -k LocalSystemNetworkRestricted -p -s SysMain",
            "executable": "C:\\Windows\\system32\\svchost.exe",
            "name": "svchost.exe",
            "parent": {
                "pid": 656
            },
            "pid": 1356,
            "thread": {
                "id": 1480
            },
            "args": [
                "C:\\Windows\\system32\\svchost.exe",
                "-k",
                "LocalSystemNetworkRestricted",
                "-p",
                "-s",
                "SysMain"
            ],
            "guid": "1d63ca73-6449-5fa9-8ca0-5ed461943a01"
        },
        "target_process": {
            "pid": 4,
            "thread": {
                "id": 5096
            },
            "guid": "4392d6e4-f852-559f-858c-a4351889e3c4"
        }
    }
}
{
    "@timestamp": "2022-06-23T13:10:31.7691464Z",
    "agent": {
        "id": "3598e70397f8931e6288d7aa4075d336bee33fa6224627218e7b67587c3a62e9",
        "version": "0.1.0"
    },
    "action": {
        "id": 1151,
        "properties": {
            "AS security intelligence creation time": "23/06/2022 03:14:37",
            "AS security intelligence version": "1.369.112.0",
            "AV security intelligence creation time": "23/06/2022 03:14:37",
            "AV security intelligence version": "1.369.112.0",
            "BM state": "Activ\u00e9",
            "Engine up-to-date": "0",
            "Engine version": "1.1.19300.2",
            "IOAV state": "Activ\u00e9",
            "Keywords": "0x8000000000000000",
            "Last AS security intelligence age": "0",
            "Last AV security intelligence age": "0",
            "Last full scan age": "4294967295",
            "Last full scan end time": "01/01/1601 00:00:00",
            "Last full scan source": "0",
            "Last full scan start time": "01/01/1601 00:00:00",
            "Last quick scan age": "1",
            "Last quick scan end time": "22/06/2022 10:01:43",
            "Last quick scan source": "2",
            "Last quick scan start time": "22/06/2022 10:00:16",
            "Latest engine version": "1.1.19300.2",
            "Latest platform version": "4.18.2205.7",
            "NRI engine version": "1.1.19300.2",
            "NRI security intelligence version": "1.369.112.0",
            "OA state": "Activ\u00e9",
            "Platform up-to-date": "1",
            "Platform version": "4.18.2205.7",
            "Product Name": "Antivirus Microsoft Defender",
            "Product status": "0x00080000",
            "ProviderGuid": "{11CD958A-C507-4EF3-B3F2-5FD9DFBD2C78}",
            "RTP state": "Activ\u00e9",
            "Severity": "INFO",
            "SourceName": "Microsoft-Windows-Windows Defender",
            "Unused": ""
        }
    },
    "event": {
        "code": "1151",
        "provider": "Microsoft-Windows-Windows Defender"
    },
    "host": {
        "hostname": "test-PC"
    },
    "related": {
        "hosts": [
            "test-PC"
        ]
    }
}

Extracted Fields

The following table lists the fields that are extracted, normalized under the ECS format, analyzed and indexed by the parser. It should be noted that infered fields are not listed.

Name Type Description
@timestamp date Date/time when the event originated.
event.action keyword The action captured by the event.
event.category keyword Event category. The second categorization field in the hierarchy.
event.code keyword Identification code for this event.
event.kind keyword The kind of the event. The highest categorization field in the hierarchy.
event.provider keyword Source of the event.
event.type keyword Event type. The third categorization field in the hierarchy.

Proxy Support

If needed, the SEKOIA.IO agent can use a proxy server for its HTTPS requests. If you want to enable this feature, edit the configuration file at:

C:\Windows\System32\config\systemprofile\AppData\Local\SEKOIA.IO\EndpointAgent\config.yaml
/etc/endpoint-agent/config.yaml

and add the following line:

HTTPProxyURL: "<PROXY_URL>"

If you want to automate the installation of the agent with this configuration option, make sure that a config.yaml file with this line is present in the working directory before launching the install command.

Optional steps

Install Sysmon

If you want to improve detection and investigation capabilities, you may want to enable Sysmon. When installed, the SEKOIA.IO Agent will automatically collect logs produced by Sysmon if they are not already collected by the agent.

Warning: The installation of this tool will generate more logs which will consume more CPU resources. Install it on equipment that are correctly dimensioned, or try it on low risk assets at first.

Sysmon is a Microsoft tool downloadable from microsoft.com. A common installation instruction and configuration file is available at SwiftOnSecurity's Github.